NHS Data Sharing at Oakley Health Group

Oakley Health Group places privacy and data protection at the heart of all its processing.

We share information from your medical records in a number of ways.

In North East Hampshire & Farnham, a number of data sharing schemes are running that involve either extracting and uploading information from your GP record to a 3rd party datacontroller, a data processor,or making information from your GP record visible to other healthcare professionals.

You have the right to control how your personal information is used and who has access to it.

You can do this by opting out of any or all of these schemes. And you can opt back into any of the schemes, at any time.

The Summary Care Record (SCR)

This is a nationalcentraliseddatabase of limited medical information (allergies and medication only), extracted and uploaded from your GP record to NHS Digital.That information is thenpotentiallyavailable to medical staffnationwide.

There arenosecondary uses of the SCR, and data uploaded to the SCR database is neither shared nor used beyond that required to provide direct medical care.

All our community nurses already have full access to the GP records of our patients (through our EMIS Web clinical system).

The Hampshire Health Record (HHR)

This is a complex,localisedcentraliseddatabase of very large amounts of medical information extracted and uploaded from your GP record to NHS South, Central and West CSU, where it is combined with information from hospital records, community care records, social care records and mental health records.

That combined information is thenpotentiallyavailable to medical staff across Hampshire (i.e. regionally), by a large number oforganisations(NHS, non-NHS and private).

Please note that you may not be asked for your explicit permission before your HHR information is accessed by a clinician.

In the majority of occasions, your explicit consent will be obtained prior to your HHR being accessed by a clinician, but that may not always be the case. Whilst access to the HHR has always been permissible (under the DPA and common law) in a true emergency, when a patient is incapable of consenting (e.g. unconscious), clinicians are seemingly able to access the HHR of a patient in advance of a routine consultation (even though consent could easily be obtained prior to the appointment).

In addition, uploaded data isprocessed for secondary purposes by some - but not all -organisations uploading to the database.

Our HHR direct care Privacy Impact Assessment can be found here.Neither Frimley Park Hospital A&E nor the local ambulance service (SECAMB), nor SCAS NHS 111 use or access the HHR.Neither Frimley Park Hospital, nor the Royal Berkshire Hospital, nor The Royal Surrey County Hospital upload to (or access) the HHR.

Frimley Primary Care Services GP out-of-hourscentre has access to the HHR, but clinicians there use EMIS Web data streaming instead.Our community staff (district nurses & health visitors) have access to the HHR, though it is not used by the health visitors, and infrequently by our district nurses.

All our community nurses already have full access to the GP records of our patients (through our EMIS Web clinical system).

Risk Stratification for Case Finding

Mandatory data collections

GP surgeries are sometimes required by law to extract and upload data to NHS Digital. We are required by law to let patients know about these and of their right to opt-out (fair processing information).

One such mandatory extraction is for Individual GP Level Data - you can read about ithere.

Another mandatory data collection is the National Diabetes Audit - you can read about ithere.

The other mandatory data collection is the extraction of sick note data to NHS Digital (and thereafter to the DWP), as mentioned above.

If you have opted out of secondary uses of your GP record, then data from your GP record will notbe extracted and uploaded to NHS Digital for these purposes.

You can read more about Type 1 secondary uses opt-outs in our factsheet.

You can also read our section on the National Data Opt Out.

Data Processors

Oakley Health Group uses data processors to perform certain administrative tasks for us, particularly where these involve large numbers of patients.

We have a contract with Docmail Ltd to permit them to send out letters from the surgery to patients, forexample, to invite them for a flu vaccination. We provide names and addresses only, and a template letter, to Docmail, who then create and post the letters out.

We also have a contract with Hampshire County Council (HCC) to enable them to invite patients for an NHS Health Check on our behalf. Again, we provide demographic data, plus date of birth, to HCC, who then create and post the letters of invitation out.

We also have a contract with Content Capture Ltd to digitize the paper (“Lloyd George”) records of our patients, which will be ultimately imported into the electronic GP record. Once this has been completed, the paper record will be securely destroyed.

Remote Consultations

From 1st October 2017, a small number of routine, pre-bookableSunday morning GP appointments will be available to patients of Oakley Health Group.

This service is being provided by Frimley Primary Care Services (FPCS), our local GP out of hours provider (part of North Hampshire Urgent Care).

16 x 15-minute GP appointments will be available every Sunday morning and will be bookable via the surgery, in the normal way, if required.

As part of this service, the GP that you see at FPCS will necessarily require access to view your full GP record, and permission to record that consultation directly in your GP record. These types of GP appointments are known as “remote consultations”.

Any accesses to your GP record for remote consultations are recorded and auditable, and are only permissible in this way

Confidentiality

We provide a confidential service to all our patients, including under 16s. This means that you can tell others about a visit to the surgery, but we won't.

You can be sure that anything you discuss with any member of this practice– family doctor, nurse or receptionist – will stay confidential.

Even if you are under 16 nothing will be said to anyone – including parents, other family members, care workers or tutors – without your permission. The only reason why we might have to consider passing on confidential information without your permission would be to protect you or someone else from serious harm. We would always try to discuss this with you first.

Confidential patient data will be shared with the healthcare team at the practice, including nursing staff, admin staff, secretaries and receptionists, and with other healthcare professionals to whom a patient is referred. Those individuals have a professional and contractual duty of confidentiality.

All of our medical records are held on the surgery server. We do not hold any records on laptops, USB sticks or other portable devices.

If you would like any further information about primary or secondary uses of your GP record, opting out, the NHS Databases, access to your medical record, confidentiality, or about any other aspect of NHS data sharing, then please do contact the surgery’s Caldicott Guardian / Information Governance lead:

Why we collect information about youHealth care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation. These records help to provide you with the best possible healthcare.

We collect and hold data for the sole purpose of providing healthcare services to our patients. In carrying out this role we may collect information about you which helps us respond to your queries or secure specialist services. We may keep your information in written form and/or in digital form. The records may include basic details about you, such as your name and address. They may also contain more sensitive information about your health and information such as outcomes of needs assessments.

Details we collect about you

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously or elsewhere (e.g. NHS Hospital Trust, other GP Surgery, Out of Hours GP Centre, A&E, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

Records which we may hold about you may include the following:

Details about you, such as your address and next of kin, emergency contacts, carers and those you authorise to collect prescriptions (and other such items) on your behalf

Any contact the surgery has had with you, such as appointments, clinic visits, immunisations, emergency appointments, etc.

Notes and reports about your health

Details about your treatment and care

Results of investigations, such as laboratory tests, x-rays, etc.

Relevant information from other health professionals, relatives or those who care for you (including that provided via our surgery website)

How we keep your information confidential and safeAll your GP NHS health records are kept electronically. Our GP records database is hosted by EMIS Health Ltd, who is acting as a data processor, and all information is stored on their secure servers in Leeds, is protected by appropriate security, and access is restricted to authorisedpersonnel.

We also make sure that data processors that support us are legally and contractually bound to operate and prove security arrangements are inplacewhere data that could or does identify a personareprocessed.

We only email you, or use your mobile number to text you, regarding matters of medical care, such as appointment reminders and (if appropriate) test results. Unless you have separately given us your explicit consent, we will not email you for non-medical matters (such as surgery newsletters and other information).

We maintain our duty of confidentiality to you always. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.

How we use information about you

Confidential patient data will be shared within the healthcare team at the practice, including nursing staff, admin staff, secretaries and receptionists, and with other healthcare professionals to whom a patient is referred. Those individuals have a professional and contractual duty of confidentiality.

Details of who isauthorisedto access your GP record can be found in our “Your Medical Records” section.

Data Processors

Oakley Health Group uses data processors to perform certain administrative tasks for us, particularly where these involve large numbers of patients. Details of these data processors can be found in our “Your Medical Records” section.

Referrals for specific health care purposes

We sometimes provide your information to other organisations for them to provide you with medical services. We will always inform you of such a referral and you always have the right not to be referred in this way. These include:

Referrals for home oxygen services (“HOOF”)

Referrals for Diabetes dietary advice (“DESMOND”)

Referrals for Diabetes Eye Screening (DRS)

Referrals for Prediabetes advice (“Healthier You”)

Data Sharing Schemes

A number of data sharing schemes are active locally, enabling healthcare professionals outside of the surgery to view information from your GP record, with your explicit consent, should that need arise. These schemes are as follows:

The National Summary Care Record (SCR)

The Hampshire Health Record (HHR, or CHIE)

EMIS Web data streaming (A&E, GP out of hours, PHTC)

Remote Consultations (GP out of hours)

Adastra Web Access (GP out of hours)

IBIS (Ambulance service)

Symphony (Frimley Park Hospital A&E)

Details of these schemes, and of your right to opt-out of any or all of them, can be found in our “Your Medical Records” section.

Mandatory disclosures of information

We are sometimes legally obliged to disclose information about patients to relevant authorities. In these circumstances, the minimum identifiable information that is essential to serve that legal purpose will be disclosed.

Thatorganisationwill also have a professional and contractual duty of confidentiality. Data will beanonymisedif at all possible before disclosure if this would serve the purpose for which the data is required.

Organisations that we are sometimes obliged to release information to include:

NHS Digital (e.g. the National Diabetes Audit)

CQC

DVLA

GMC

HMRC

NHS Counter Fraud

Police

The Courts

Public Health England

Local Authorities (Social Services)

The Health Service Ombudsman

In the event of actual or possible legal proceedings, we may need to disclose information from an individual’s GP record to a medical defence organisation.

Permissive disclosures of information

Only with your explicit consent, Oakley Health Group can release information about you, from your GPrecord,to relevantorganisations. These may include:

Your employer

Insurance companies

Solicitors

Local Authorities

Police

Accessing your information on other databases

Oakley Health Group can access certain medical information about you, when relevant or necessary, that is held on other databases (i.e. under the control of another data controller). These include Frimley Park Hospital databases and NHS Digital’s Open Exeter database. Accessing such information would only be for your direct medical care.

Research

Oakley Health Group sometimes undertakes accredited research projects. Where this involves accessing identifiable patient information, we will only do so with the explicit consent of the individual and Research Ethics Committee approval, or where we have been provided with special authority to do so without consent (s251 HRA/CAG approval, e.g. for the National Cancer Diagnosis Audit).

Oakley Health Group is not currently involved with other research projects such as the Clinical Practice Research Database (CPRD) or QResearch, and we do not permit secondary processing (e.g. for research or "analytics") of our patients’ information uploaded to the Hampshire Health Record.

Your right to opt-out of sharing your information

You have the right to opt-out (or object) to ways in which your information is shared, both for direct medical care purposes (such as the national NHS data sharing schemes), i.e.primary usesof your information, or for purposes other than your direct medical care –so called secondary uses.

Details of these purposes, and how you can opt out, can be found in our “Your Medical Records” section.

Accessing your own medical information

You have the right to access your own GP record. Details of how to do this can be foundin our “Your Medical Records” section.

You can also sign up to have secure online access to your electronic GP record. Again, details of how to do this can be found in our “Your Medical Records” section.

Lawful bases for processing and the EU GDPR

Detailed information (individual privacy notices) about all our data processing activities, including lawful bases, can be found on our website, upon request from the surgery, or from the Data Protection Officer (Dr Neil Bhatia).

We rely upon Article 6(1)(e) Official Authority and Article 9(2)(h) Provision of Health for much of our processing, in particular:

If you would like any further information about primary or secondary uses of your GP record, opting out, the NHS Databases, access to your medical record, confidentiality, or about any other aspect of NHS data sharing or your medical records, then please do contact the surgery’s Caldicott Guardian / Information Governance lead:

Mobile phone numbers & email addresses

We ask all our patients to provide us with their mobile phone numbers and their emailaddress,if they have them and should they so wish.

We use your mobile phone number in two ways:

to contact you, as an alternative to your landline number

to send you SMS text messages

The texts that we send are only ever related to your medical care - for example, reminding you of a forthcoming appointment at the surgery, an invitation for a check-up orimmunisation, or to inform you that a blood test or x-ray result is back.

We do notuse SMS for direct marketing in any way.

If you would prefer us not to ring you on your mobile phone then please say so and we will either not add your mobile phone number to your record, or remove any existing mobile phone number.

If you would prefer us not to send you SMS text messages - but you arehappy for us to ring you on your mobile phone (when needed) - then please say so and we will mark your record as "no SMS text messages".

We occasionally use email to communicate with our patients, again for matters related to your direct medical care.

Unless you have separately given us your explicit consent, we will not email you for non-medical matters (such as surgery newsletters and other information).

If you would prefer us not to email you then please say so and we will either not add your email address to your record, or remove any existing email address.

Oakley Health Group and the GDPR

Oakley Health Group has ensured that it meets its obligations under theGeneral Data Protection Regulation (GDPR), in force on 25th May 2018, and in particular how the surgery processes personal data, including sensitive health records.

NHS Data Sharing databasesWe allow access to relevant information from your medical record, with your explicit consent, to healthcare staff working in A&E, the GP out-of-hours service and the Ambulance service.

Accessing your information on other databasesWe can access information about you held by other organisations, in order to help us provide you with medical care and so that we can assist authorities with the national screening programmes

The Data Protection Act/GDPR gives you certain rights when it comes to your GP medical record.

Oakley Health Group places privacy and data protection at the heart of all its processing.

The Right to be Informed

Oakley Health Group provides full and detailed fair processing information about how your personal and sensitive data is processed by the surgery. Details can be found in this "Medical Record" section, with external links to more detailed information.

The Right to Rectification

You have to right to ask for factual inaccuracies in your GP record to be corrected.

How do I opt-out of EMIS Web data streaming?

prevent your GP record from being accessible by the GP out-of-hours service (FPCS) and A&E at Frimley Park Hospital

opt you out of the Hampshire Health Record

How do I opt-out of SMS messages (for medical purposes) from the surgery?

Just ask in person at the surgery, or in writing, or by email.We will then only ring you on your mobile phone (if we need to).

How do I opt-out of Email messages (for medical purposes) from the surgery?

Just ask in person at the surgery, or in writing, or by email.We will then remove your email address from your GP record.

How do I withdraw my consent to receive non-medical Email messages from the surgery?

You will only receive such messages (newsletters, surveys, general information etc) if you have given us your separate, explicit consent to do so.To withdraw your consent, simply ask in person at the surgery, or in writing, or by email.We will then no longer send you any such messages.

What about other data processing activities?

Oakley Health Group does not currently undertake Risk Stratification (via a data processor)You do not need to opt-out of, or object, to this

Oakley Health Group does not permit secondary uses of GP records uploaded to the Hampshire Health RecordYou do not need to opt-out of, or object, to this

Oakley Health Group does not contribute to QResearchYou do not need to opt-out of, or object, to this

Oakley Health Group does not contribute to the CPRDYou do not need to opt-out of, or object, to this

Oakley Health Group places privacy and data protection at the heart of all its processing.

What is the National Data Opt Out (NDOO)?

The NDOO is a mechanism by which individuals in England can control, to a limited degree, certain aspects of their confidential medical information and, in particular, what NHS Digital can do with it once in their possession.

The NDOO only applies to confidential information, that is medical information that can identify you, for example by containing your name, DOB, address, NHS number etc.

And the NDOO only applies to uses of your confidential medical information for secondary purposes, that is unrelated to, and beyond, the direct medical care that GP surgeries and other healthcare organisations provide you with when you are unwell, or to keep you well. Secondary purposes include healthcare planning, audit, population analytics, “risk stratification”, research, "commissioning", commercial and even political uses.

The NDOO is not limited to electronic data and so includes paper records.

It simply replaces the Type 2 (9Nu4) opt-out that has been in force for some years, and which you were able to express, together with the Type 1 (9Nu0) objection, via your GP surgery.

If I set, or keep, my NDOO status at “do not allow”, what will this mean?

Confidential medical information obtained by NHS Digital from GP surgeries, hospital trusts, mental health providers and social care, will not be released or disseminated by them in a format that can identify you.

In addition, and in time, the NDOO will prohibit certain data extractions from your GP record, where this involves confidential medical information, such as where your permission or consent has not been sought before your data was released (so-called section 251 approval).

They will in no way affect the sharing of information for the purposes of an individual’s care and treatment, e.g. where information is shared between a GP surgery and a hospital.It will not stop your GP using the Electronic Referral Service (eRS), the Electronic Prescription Service (EPS), or GP2GP transfers of medical records.

They will in no way affect the National Summary Care Record (SCR).You can opt-out of the SCR via the surgery or our website.

They will in no way affect any local shared care record project or scheme, such as the Hampshire Health Record.You can opt-out of the Hampshire Health Record via the surgery or our website.

They will in no way prevent you from registering for secure online access to your GP record (Patient Online), so that you can book appointments, request repeat medication and view/download your GP medical record.More information about this can be found on our website.

They will in no way affect situations where the surgery, or other healthcare organisation, is legally required to share your information (such as a court order or when mandated under section 259 of the Health and Social Care Act – but see later).

They will in no way affect you being invited, when appropriate, for any of the National Screening Programmes, such as cervical/breast/bowel/abdominal aortic aneurysm/diabetic eye screening.You can opt-out of these separately, if you wish.

They will in no way stop information being provided to the National Disease/Cancer Registries (run by Public Health England).You can opt-out of this separately, if you wish.

They will in no way affect situations where the surgery, or any other healthcare organisation, shares data in an anonymised or aggregate (numbers only) format, in other words where that data cannot identify an individual. Such as "open data".

The NDOO/Type 1 objection will in no way prevent you from taking part in accredited medical research, at your GP surgery/local hospital/other health organisation, where you have given your explicit consent to be involved (i.e. you have been asked first).

The National Data Opt Out doesn't stop you contributing to any research where you are asked first.

It only stops the use of your confidential medical information where you are not asked before your data is taken and used.

Will the NDOO stop my confidential GP information being uploaded to NHS Digital in the first place?

No.

NHS Digital does not rely upon section 251 approval (anymore) for data gathering, preferring instead to make such data collections compulsory under section 259 of the Health and Social Care Act.

However, the existing secondary uses, Type 1 (9Nu0), opt-out that many people have in force on their GP record will prohibit data (confidential and, in some cases, de-identified) from being extracted and uploaded from your GP record to NHS Digital.

In addition, the Type 1 opt-out will also prohibit section 251 approved data extractions, for example for “risk stratification”, as well as the mandatory section 259 extractions.

So how do I maximally limit secondary uses of my medical records, beyond my direct medical care, should I wish to?

Set your NDOO status to “do not allow”, see later for how to do this, and

Make sure you have a secondary uses, Type 1 (9Nu0) objection in force on your GP record – do this via the surgery or our website

What about preventing NHS Digital releasing or disseminating anonymised and pseudonymised data about me?

You cannot – directly. And you have no control over why they are doing this, for what purpose(s), and to which organisation they are releasing your information to.

But you can limit how much information NHS Digital gathers about you from healthcare organisations, by maximally limiting the secondary uses of your medical records, as described above.

So how do I set, check, or update my National Data Opt Out status?

If you had previously requested a Type 2 objection to be in force, via the surgery, then this will have automatically have set your NDOO status to “do not allow”. You should have received a letter from NHS Digital, confirming this, in due course. Any children aged 13yrs or over will have received their own letter as well.

It is no longer possible to directly view, set or change your NDOO status at your GP surgery.

Anyone aged 12yrs or younger, or if you are acting on behalf of another individual (i.e. as a proxy, perhaps with lasting power of attorney authority) cannot do this online but will have to ring 0300 330 9412 instead (or via other so-called “non-digital” methods).

Where can I find more information about sharing my medical information?

If you would like any further information about the NDOO, GDPR, primary or secondary uses of your GP record, opting out, the NHS Databases, access to your medical record, confidentiality, or about any other aspect of NHS data sharing or your medical records, then please do contact the surgery’s Caldicott Guardian / Information Governance lead / Data Protection Officer: